Configuring Cloudflare Tunnels

If you want to keep your servers extra safe or you don’t have a publicly routable IP address (CGNAT being a pain for homelabers or IPv6 not being implemented because of $reason), you may want to consider using Cloudflare tunnels.

In this post we’re going to see how to set up a Cloudflare tunnel and have application traffic routed through it.

Cloudflare tunnels work by opening four connections from your machine to at least two different Cloudflare data centers. Your domain is proxied through Cloudfare which uses these open connections to reach your server. This way there is no need to expose your machines directly to the Internet.

That’s it in a nutshell and now we can take a look how to configure a tunnel.

Before you begin you will need a Cloudflare account obviously. For our purposes even the free plan will be enough.
Once you’re set with that, you’re good to go.
To begin with, log into the Cloudflare Zero Trust interface, navigate to Access->Tunnels and create a new tunnel. Pick your OS and you will get installation instruction of the cloudflared daemon for your environment.
Cloudflared will open a TCP/UDP connection on port 7844 to the cloudflare datacenters, so make sure that outgoing traffic is allowed to port 7844.

Once you have you cloudflared daemon installed on your server, you can setup a public hostname that will be routed through the tunnel.
To do that, on the tunnel configuration page select Public Hostname. You will be presented with a straight forward form to setup a domain that you wish to proxy through the tunnel.
Just make sure that the (sub) domain you add to your tunnel does not already exist in you DNS zone, otherwise the setup will fail.
And that’s pretty much it. It’s very straight forward to setup and configure a working tunnel.
You can also add some custom configuration for cloudflared on your server by editing the /usr/local/etc/cloudflared/config.yaml file. (It might be a different location on your machine depending on the OS).

The cloudflared daemon has 2 monitoring endpoint you can use.

/ready will return if the tunnel is up and running and the number of active connection towards cloudflare datacenters.
/metrics will return metrics in Prometheus format. You can find some pretty good prebuilt Grafana dashboard online.

To enable metrics, in the config file just add:

metrics: localhost:40355

The port is arbitrary 🙂

Since your domain will be proxied through Cloudflare, you can take advantage of all the security and enhancement features Cloudflare has to offer.

As you’ve seen from this blog post, setting up Cloudflare tunnels is a pretty straight forward and simple process.
Check out the official documentation for even more tunnel possibilities and use cases. We’ve been running Cloudflare tunnel in production for a while and it handles production level traffic without a sweat. 🙂

We would be very happy if you drop us a comment with your experiences and use cases.

If you need additional help on this, or if you are interested in a fully managed AWS infrastructure, feel free to contact us. We’ll gladly help you out!